So I have a code offering today, which I’m calling DangItBobby.ps1. It lets you remotely disable the NIC of a computer given only the username that is logged in. In essence, when in the middle of a ransomware infection, and you see that the owner of all the files is changing to Bobby, you run the script and provide credentials of a local admin account. Then you tell it you’re looking for Bobby, it’ll check AD to make sure that’s a valid account, then check with WMI to see if there’s an explorer.exe process running under Bobby’s context on each computer, which you can narrow down with the first few characters of what the workstation might be. If they’re logged into multiple workstations it’ll let you choose which one to work with. Then it’ll give you a list of NICs and a little information about each one, and let you choose which one to disable.
I hope I don’t need to tell you to be careful running this.